Thank you Philipp and Damian for your response. I will inform you about the outcome of our work.
Frank On Mon, Mar 9, 2015 at 8:02 PM Philipp Winter <[email protected]> wrote: > On Mon, Mar 09, 2015 at 11:15:21PM +0000, Francois Valiquette wrote: > > By reading the documentation of torflow, it is yet not clear to me, > exactly > > which tests you are doing. One part of my project is to make a > description > > of each possible attack an Exit Node can make and a description of a > > detection/mitigation mechanism for each of the attack but also I would > like > > to implement one or more tests that have not been implemented by torflow. > > As Damian mentioned, we are mostly using exitmap [0] these days. > TorFlow is no longer supported and several people had issues getting it > to run because of bit rot. > > > Here is a list of attacks that we think that a malicious Exit Node could > > do. The list is not complete, we will expand it. I would like to know, > what > > type of attacks have you not tested and also, feel free to complete this > > list. > > > > -SSL and none SSL Sniffing (Session Hijacking, emails, web URL, IRC > > channel, FTP ) > > exitmap has no module to detect sniffing but some folks have written > HoneyConnector [1] for that purpose. It can detect sniffing for FTP and > IMAP as long as the adversary later tries to log in with the sniffed > credentials. > > > -Virus Injection (Linux, OSX, Windows, Android) > > Something like this is implemented in the patchingCheck module: > <https://gitweb.torproject.org/user/phw/exitmap.git/tree/ > src/modules/patchingCheck.py> > > > -DNS Rebinding > > We have a module that checks several domains: > <https://gitweb.torproject.org/user/phw/exitmap.git/tree/ > src/modules/dns.py> > > > -Misc Injection/Tampering: advertisements, JavaScript, etc > > -SSL MITM with CN > > -SSL MITM (revoked certificate, expired certificate and untrusted > > certificate) > > -SSL Downgrade attacks > > -SSL stripping > > We have modules for these attacks but they aren't available publicly. > If you are interested, please contact me off-list and I can send them to > you. > > > -Pharming Attacks > > -Dropping TLS connections > > -Spurious RST packets > > -Exploiting Bittorrent Tracker to reveal a user’s real IP > > It would be great to see modules for these attacks. If you are > interested in extending exitmap, I have a suggestion below. > > On a general note, we see two classes of malicious exit relays. The > opportunistic attacker typically sets up a fresh relay, starts an > off-the-shelf MitM tool, and is curious to see what happens. These > attacks don't last long and are easy to detect. It's not that easy with > the second class, that is attackers who target specific web sites. All > other web sites can remain unaffected, which makes it hard find these > exits. These attackers make an effort to stay under the radar, e.g., > MitM only requests coming from Tor Browser. As a result, these attacks > are trickier to detect and after blacklisting such an exit relay, a new > one often pops up, similar to a game of Whac-A-Mole. > > To do better against these attackers, it would be great to have > "adaptive" scanning modules that are able to pick their own targets. > For example, such a module could be seeded with a set of domains and it > then extracts other domains to visit from the HTML code of the seed set. > > [0] <https://gitweb.torproject.org/user/phw/exitmap.git/> > [1] <https://github.com/mmulazzani/HoneyConnector> > > Cheers, > Philipp > _______________________________________________ > tor-dev mailing list > [email protected] > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev >
_______________________________________________ tor-dev mailing list [email protected] https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
